Post on 03-Jan-2016
S - 1
Panel 4:
Accounting for Cybersecurity
Reporting and Attestation Issues
October 2, 2015
S - 2
Increasing Board ConcernAs a result of the widely publicized cyber attacks on major corporations and public sector entities by hackers, criminals and foreign governments, cybersecurity is gaining increasing attention by boards of directors, customers, business partners, and regulators.
Causes Not Well Defined or UnderstoodAre these attacks due to a lack of standards, inadequate regulations, managements' failures to adopt adequate countermeasures, lapses in monitoring or a lack of satisfactory technical solutions?
Evaluating Cybersecurity InitiativesEntities are currently in the process of evaluating their cybersecurity programs, and are discussing options for communicating how they achieve their cybersecurity objectives.
Independent ReportingOne key aspect of communicating the achievement of cybersecurity objectives is the ability to provide assurance by way of a report on cybersecurity controls from an independent assessor.
The Cybersecurity Issue
S - 3
The AICPA’s ResponseThe AICPA’s Assurance Services Executive Committee (ASEC) formed the ASEC Cybersecurity Working Group to work in collaboration with the AICPA’s Auditing Standards Board (ASB) in develop practitioner guidance for performing examination-level attestation engagements related to cybersecurity.
Tools for the ProfessionThe working group will be responsible for identifying or developing suitable measurement criteria and for developing a cybersecurity attestation guide, as well as a supply chain/vendor management attestation guide, to provide performance and reporting guidance for practitioners engaged to report on controls over cybersecurity for an entity or portions of an entity (i.e. system(s), related systems, operating unit or division).
Effective ReportingA cybersecurity attestation report will provide useful information to users in making decisions as stakeholders in the entity.
The Cybersecurity Issue
S - 4
Cybersecurity Discussants
Chris Halterman, Partner EY
Chris Halterman is an Executive Director in the Advisory Services practice of Ernst & Young LLP, with more than 26 years of experience in the public accounting profession, focusing on IT and process controls and information integrity. He leads EY’s Advisory Service Organization Control Reporting practice globally and in the Americas, with responsibility for developing methodology, training, client service strategy, quality assurance programs and market initiatives.Chris is a member of the AICPA Assurance Services Executive
Committee (ASEC) and chairs the ASEC Trust/Information Integrity Task Force. In this role, he leads the AICPA’s efforts to establish the criteria for evaluating the system security, availability, processing integrity, confidentiality and privacy. In his role as Chair of the ASEC task force, Chris speaks regularly on SOC 1 (formerly SSAE 16) and SOC 2 reports in the US and internationally He also serves as signing executive for a major service organization’s SOC 1 and SOC 2 reports and performs quality review on numerous other reports.
S - 5
Cybersecurity Discussants
Graham Gal, University of Massachusetts
Graham Gal is an Associate Professor of Business Administration at the Isenberg School of Management in the Department of Accounting and Information Systems. His research interests include business ontologies, specification of internal controls, continuous monitoring, continuous reporting, organizational security policies, and controls for sustainability reporting.
Dr. Gal has recently presented his work at the University of Vienna’s Value Modeling and Business Ontologies symposium, the REA Workshop at CAISE, The University of Melbourne, Marmara University’s Ethics, Fraud, Governance and Social Responsibility Symposium, and Rutgers’ Continuous Reporting and Monitoring workshops. He has published in a number of journals including;Journal of Emerging Technologies in Accounting, Decision Sciences, Expert Systems Review, Expert Systems, Journal of Information Systems, The Information Systems Control Journal, Advances in Accounting Information Systems, The International Journal of Accounting Information Systems, and The International Journal of Information Management. Dr. Gal is an associate editor of the Journal of Emerging Technologies in Accounting and The International Journal of Auditing Technology.
S - 6
Cybersecurity Moderator
Cybersecurity Participation
Open Discussion Following the Discussants’ Presentations
Robert G. Parker, Retired Deloitte Partner, UW-CISA
Robert Parker is a retired Deloitte Enterprise risk partner. He has been involved with Information technology for many years, is a Past International President of ISACA, has served on many AICPA committees; SysTrust, Privacy Task Force and Top Tech Issues and on many CPA Canada Committees; Privacy , the Information Technology Management Advisory Committee, Year 2000 Committee and Database Auditing to name a few.
He is a member of the Board of Directors of the University of Waterloo Centre for Information Integrity and Systems Assurance.
S - 7
Opening Comments
Security continues to rank highly on nearly everyone’s list of concerns
AICPA – CPA Canada’s 25th Anniversary Top Tech Issues survey ranked security
Source: AICPA-CPA Canada 25th Anniversary Top Tech Survey
ISS
UES
S - 8
Opening Comments
Security breaches involving personal information – information about an identifiable individual – are quickly becoming the norm
Source: AICPA-CPA Canada 25th Anniversary Top Tech Survey
CO
NFI
DEN
CE
S - 9
CO
NFI
DEN
CE
Cybersecurity
Source: AICPA-CPA Canada 25th Anniversary Top Tech Survey
Dropdown Questions
S - 10
Cybersecurity
Source: AICPA-CPA Canada 25th Anniversary Top Tech Survey
CO
NFI
DEN
CE
S - 11
CYBERSECURITY
S - 12
Source: http://www.idigitaltimes.com/10-largest-data-breaches-2014-sony-hack-not-one-them-403
CYBERSECURITY
S - 13
Source: http://www.idigitaltimes.com/10-largest-data-breaches-2014-sony-hack-not-one-them-403
CYBERSECURITY
S - 14
Source: http://www.idigitaltimes.com/10-largest-data-breaches-2014-sony-hack-not-one-them-403
CYBERSECURITY
S - 15
CYBERSECURITY
2015 Data Breaches
Anthem BlueCross BlueShield – 80 million patient records - February
Office Of Personnel Management – 21.5 Million May
Premera BlueCross BlueShield – 11.2 Million records January
Office Of Personnel Management – 4.2 million records April
Ashley Madison - 25 gigabytes (no indication of how may of their over 40.8 million members were exposed ) – August
CareFirst BlueCross BlueShield – 1.1 million records May
Hacking Team - 1 million emails July
Army National Guard - 850,000 records July
Penn State University – 18,000 February
S - 16
By design, the data breach cases included in this research had a minimum value of 1,000 records and a maximum value of 100,000 records. As discussed, we do not include data breach cases in excess of 100,000 records because this would affect the findings and are not representative of the data breaches most companies experience.
CYBERSECURITY
Data Breach Costs
S - 17
Cybersecurity
How many have this or a similar type of communication?
S - 18
USA adopting chip & signature and not chip & pin
Among those many options are three for the cardholder verification method (CVM):
1) Chip and PIN - the most secure option because it requires the cardholder to enter a personal identification number with each purchase;
2) Chip and Signature - where the cardholder need only sign a receipt; and,
3) Chip and Nothing - where, as the name implies, the cardholder is not verified.
Likely motivation for not adopting Chip and Signature:
• Lack of desire to alter existing cardholder behavior by introducing PINs with credit cards
• An attempt to limit the cost of EMV (Electronic Member Verification) for merchants by not requiring the purchase of an EMV-compliant PIN pad.
S - 19
Cybersecurity Participation
Open Discussion Following the Discussants’ Presentations
S - 20
Questions
Given the requirements for assessment criteria, is there a plan in place to continually or periodically review the technical information on cybersecurity and cyber breaches and update the AICPA’s guidance material?
Assessment Criteria
Scope of Assessments
S - 21
Questions
A number of high profile cyber security breaches have been successful by exploiting the “soft underbelly” of an almost unrelated organization.
Organizations are allowing or welcoming the perpetrators into their organization, sometimes unwittingly and at times as trusted business partners.
Where do we go from here?
What do we have to do the get managements’ attention?
S - 22
What are the top 3 cybersecurity risks that management must address?
Questions
S - 23
Questions
What impact has the “Internet of Things” had on the way businesses address or should address cybersecurity?
S - 24
Questions
Does BYOD significantly alter the Cybersecurity requirements?
Does MDM (Mobile Device Management) software do much to protect the organization?
S - 25
Questions
The media focuses on large security breaches involving personal information; is this useful, meaningful or appropriate?
What about SCADA controlled devices?
S - 26
Questions
Many organizations rely on the Fortress Model whereby a strong and robust perimeter is established and monitored using IDS (Intrusion Detection Software) and IPS (Intrusion Prevention Software) software.
What else would you recommend that organizations do to strengthen their Cybersecurity defences to lessen the risk of an event occurring or, if one does occur, the impact of the Cybersecurity breach?.
S - 27
Questions
The Ponemom Institute and others have frequently identified internal data breaches as being more prevalent than external cyber breaches, although fewer records may be accessed; is management focusing resources in the most appropriate area?
S - 28
Questions
Which is the most frequently adopted cybersecurity standard? (CobIT, NIST, ISO, Industry, AICPA, etc.)
S - 29
Questions
What are the key failings that management should avoid in ensuring that their organization is not a victim of a cyber security breach? What is management not doing that they should?
What are the key security controls that management should implement and monitor to ensure that their organization is not a victim of a cyber security breach?”
S - 30
Where should cybersecurity responsibility reside? (ISP, Organization, Network Management, Data Owners, End Users, Subject Data)
Questions
S - 31
Questions
Has the general public become too acclimated and now accepts cyber security breaches as the norm?
Do you believe that users, customers and others will require a Cybersecurity certificate before doing business with an organization?
S - 32
Questions
On a scale of 1 to 10 with 10 being excellent and 1 being nonexistent or ineffective, where would you rank the existing technology based tools designed to protect data in the event of a cyber-attack?
S - 33
Questions
Legislation, regulations and rules can only go so far in preventing cyber-attacks;
Where are they weak or non-existent?
Are the penalties severe enough?
Do they go far enough?
Can they ever be effective?
How can we motivate management to do it better?
S - 34
Thank You For Your
Interest and Participation
S - 35